Ben Laurie blathering

I’m a big fan of the EFF, so it comes as a bit of a surprise when I see them say things that don’t make any sense.

A while back the EFF posted a bill of privacy rights for social network users. Whilst I totally sympathise with what the EFF is trying to say here, I’m disappointed that they head the way of policymakers by ignoring inconvenient technical reality and proposing absurd policies.

In particular, I refer you to this sentence:

The right to control includes users’ right to decide whether their friends may authorize the service to disclose their personal information to third-party websites and applications.

In other words, if I post something to a “social network” (whatever that is: yes, I have an informal notion of what it means, and I’m sure you do, too, but is, say, my blog part of a “social network”? Email?) then I should be able to control whether you, a reader of the stuff I post, can do so via a “third-party application”. For starters, as stated, this is equivalent to determining whether you can read my post at all in most cases, since you do so via a browser, which is a “third-party application”. If I say “no” to my friends using “third-party applications” then I am saying “no” to my friends reading my posts at all.

Perhaps, then, they mean specific third-party applications? So I should be able to say, for example, “my friends can read this with a browser, but not with evil-rebroadcaster-app, which not only reads the posts but sends them to their completely public blog”? Well, perhaps, but how is the social network supposed to control that? This is only possible in the fantasy world of DRM and remote attestation.

Do the EFF really want DRM? Really? I assume not. So they need to find a better way to say what they want. In particular, they should talk about the outcome and not the mechanism. Talking about mechanisms is exactly why most technology policy turns out to be nonsense: mechanisms change and there are far more mechanisms available than any one of us knows about, even those of us whose job it is to know about them. Policy should not talk about the means employed to achieve an aim, it should talk about the aim.

The aim is that users should have control over where their data goes, it seems. Phrased like that, this is clearly not possible, nor even desirable. Substitute “Disney” for the “the users” and you can immediately see why. If you solve this problem, then you solve the DRM “problem”. No right thinking person wants that.

So, it seems like EFF should rethink their aims, as well as how they express them.

This entry was posted
on Saturday, October 2nd, 2010 at 22:18 and is filed under Privacy, Rants.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

4 Comments

Like you say, Ben, it sounds as though there is something well-intentioned behind that statement, even if it doesn’t come out clearly. The way I interpreted it (and I must admit, I’m just going on your quotation, so forgive me it context makes a nonsense of this interpretation…) was as follows:

“a user should have the right to decide/control whether disclosing data to a friend confers on that friend the ability to publish the data more widely, to (or via) third party websites and applications”

I think that’s slightly different from your counter-example, which is more “a user should have the ability to make it impossible for a friend to consume their disclosures using a third party website or application, rather than ‘directly'”.

In other words, I don’t think the EFF are saying that, if I want to consume your Facebook updates, you should have the means to ensure that I do so only via your page on facebook.com, and not by using some other app. I think what they want is for you to have the means to say “in publishing this data to my friends on Facebook, my intent is that those friends should not then re-broadcast it to an audience I have not chosen”.

Admittedly, it looks as though they go further than that and expect me to be able to enforce such a preference (through technical means), and not just express it – and that would, as you say, amount to a form of DRM.

It’s what I’ve been referring to for a while as “privacy beyond first disclosure”. I still happen to think it is a desirable principle… though I acknowledge that others disagree. For instance, Bob Blakley maintains that it’s unrealistic of me to expect to exercise control over other people’s narrative about me. I agree that, in the “real world”, people gossip, make stuff up about their friends, spread rumours, lies and innuendo, so, yes, other people’s narratives about me exist and spread beyond my control – and that’s life. On the other hand, “real life” does not, under normal circumstances, allow such things to spread instantly to a global audience.

I know, in “dot com” e-commerce days, “frictionless” transactions were seen as the ultimate good. When it comes to social networking, I’m convinced that a little friction is actually a very healthy thing. Whether that friction is supplied by technical, procedural or governance means is another question… but “frictionless” global disclosure is a scary prospect.

Actually, strike all my previous comment; there’s something far more irritating in the EFF piece. I refer of course to the first sentence of #3: “giveth” and “taketh” are the 3rd person singular forms of the verbs “give” and “take”. They are neither the 3rd person plural, nor the infinitive forms. Aaaagghh!

I mean, for goodness’ sake, presumably Mr Opsahl would not write:
“Users gives, and users should have the right to takes away.” That would just sound stupid.